We'll probably want to make this configurable with a
lxc.cgroupns = [1|0], but for now just always do it.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
Changelog
20160104: only try to unshare if /proc/self/ns/cgroup exists.
#ifndef CLONE_NEWNS
# define CLONE_NEWNS 0x00020000
#endif
+#ifndef CLONE_NEWCGROUP
+# define CLONE_NEWCGROUP 0x02000000
+#endif
#ifndef CLONE_NEWUTS
# define CLONE_NEWUTS 0x04000000
#endif
if (handler->backgrounded && null_stdfds() < 0)
goto out_warn_father;
+ if (cgns_supported() && unshare(CLONE_NEWCGROUP) != 0) {
+ SYSERROR("Failed to unshare cgroup namespace");
+ goto out_warn_father;
+ }
+
/* after this call, we are in error because this
* ops should not return as it execs */
handler->ops->start(handler, handler->data);
return stat(f, &statbuf) == 0;
}
+bool cgns_supported(void)
+{
+ return file_exists("/proc/self/ns/cgroup");
+}
+
/* historically lxc-init has been under /usr/lib/lxc and under
* /usr/lib/$ARCH/lxc. It now lives as $prefix/sbin/init.lxc.
*/
int detect_ramfs_rootfs(void);
char *on_path(char *cmd, const char *rootfs);
bool file_exists(const char *f);
+bool cgns_supported(void);
char *choose_init(const char *rootfs);
int print_to_file(const char *file, const char *content);
bool switch_to_ns(pid_t pid, const char *ns);
projects / thirdparty / lxc.git / commitdiff
